Privacy Policy
Effective 7 July 2026. Copal is operated by Bison Ventures Limited. Questions: support@copal.uk.
Who we are (data controller): Copal, a service of Bison Ventures Limited. Contact: support@copal.uk.
This policy covers the hosted Copal service at copal.uk, api.copal.uk and auth.copal.uk. Self-hosted deployments of the open-source components are controlled by whoever operates them, not by us.
What we collect
- •Account: your name (if given) and email address. Sign-in is a passwordless magic link, so we do not store a password.
- •Sign-in / session: session tokens, and the IP address and user-agent attached to a session.
- •Subscription & billing: your plan, subscription status, and Stripe customer/subscription identifiers. Card and payment details are handled entirely by Stripe — we never see or store full card numbers.
- •Your vault content: the notes, markdown, attachments, tags, and the derived keyword and semantic search indexes you create or upload.
- •Usage metering: per-account request counters, used for your plan's limits.
- •Connected apps/agents: OAuth client registrations, authorization grants, and access tokens for the MCP clients and agents you connect.
Why we process it (UK GDPR / EU GDPR)
- •Provide the service — performance of a contract: account, vault storage and search, auth, connected agents, subscription.
- •Billing, tax and accounting — contract and legal obligation, via Stripe.
- •Security, abuse prevention and metering — legitimate interests.
- •Transactional email (magic-link sign-in) — contract.
We do not sell your data, show advertising, send marketing email, or use your vault content to train models or profile you.
Sub-processors
We use Cloudflare (hosting and all storage/compute, plus transactional email) and Stripe (payments and subscriptions). The current list is at copal.uk/subprocessors, and we give notice of changes.
Where your data is stored, and international transfers
Copal runs on Cloudflare's global network, so your data and its derived indexes may be stored and processed outside the UK and EEA. We do not currently offer a UK/EU-only residency option. Where personal data is transferred outside the UK/EEA, we rely on the safeguards in the Cloudflare Data Processing Addendum — the EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Stripe processes billing data under equivalent safeguards. If you require UK/EU residency, contact us before subscribing.
How long we keep it
- •Vault content and account data: kept until you delete your account.
- •Account deletion: a soft-delete with a 7-day grace window (so an accidental deletion can be undone), after which we irreversibly purge your vault (R2 objects, database index, vector index), your identity records, and cached sessions.
- •Billing records (Stripe customer): retained after account deletion where required for tax and accounting (in the UK, generally up to 6 years); the subscription itself is cancelled.
- •Session and token caches: expire automatically.
Your rights
Under UK/EU GDPR you have the right to access, rectify, erase, port, restrict, and object to the processing of your personal data, and to withdraw consent where processing relies on it. You can exercise the two main ones yourself:
- •Data export (portability): download a
.zipof your entire vault at any time. - •Erasure: request account deletion, which triggers the soft-delete and purge above.
For anything else, email support@copal.uk; we respond within one month. You can also complain to your data-protection authority — in the UK, the Information Commissioner's Office (ICO).
Cookies
We use a single essential cookie, the session cookie, required to keep you signed in. We use no analytics or advertising cookies.
Security and encryption posture
In transit: all traffic uses TLS. Credentials at rest: magic-link tokens and API/vault-sync tokens are stored hashed (SHA-256); there are no stored passwords. Each account's vault is isolated by tenant, and internal services talk over private service bindings, not the public internet.
At rest, your note content is stored as plaintext in Cloudflare R2, D1 (the keyword index) and Vectorize (semantic embeddings), protected by Cloudflare's platform-level at-rest encryption. Copal is deliberately not end-to-end encrypted or zero-knowledge: the service must be able to read your note content to provide its core features — semantic search, keyword indexing, and serving your notes to your AI agent. This is a deliberate trade-off for agent-readability and by-meaning search. If you need zero-knowledge storage where the provider cannot read your notes, Obsidian's own end-to-end-encrypted Sync is the better fit for those notes. Client-side-encrypted content (for example Remotely Save's end-to-end encryption) is incompatible with Copal, because encrypted blobs cannot be indexed or read by your agent. An opt-in per-note end-to-end "private" mode, which disables search for those notes, is on our roadmap.
No system is perfectly secure, but we design for least privilege.
Children
Copal is not directed to children under 16 and we do not knowingly collect their data.
Changes to this policy
We'll post changes here and update the effective date. For material changes we'll give notice by email to your account address or a prominent notice on the site.
Contact
support@copal.uk.